This link https://www.cockroachlabs.com/docs/stable/create-security-certificates-custom-ca.html mentions using an “external public CA”.
However my understanding is that the authentication mechanism is somewhat limited, in that it trusts any incoming connection if the CN=node and is signed by the same CA, and the IP address is listed in the server node’s Subject Alternative Name fields.
ie: if we had a multi-cloud deployment with a public proxy to proxy replica connections and placed that IP in the Subject Alternative Name fields, and we used a public CA (ie: Let’s Encrypt), then anybody could join our cluster.
If this is correct there should be a large warning, or better wording to recommend against using public CA’s.